Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-es -
resource tags
arch:x64arch:x86image:win10v2004-20240426-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
05/06/2024, 21:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://www.itsoeh.edu.mx/front/
Resource
win10v2004-20240426-es
Behavioral task
behavioral2
Sample
https://www.itsoeh.edu.mx/front/
Resource
win10v2004-20240508-es
General
-
Target
https://www.itsoeh.edu.mx/front/
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 512 msedge.exe 512 msedge.exe 4444 msedge.exe 4444 msedge.exe 4416 identity_helper.exe 4416 identity_helper.exe 3852 msedge.exe 3852 msedge.exe 3852 msedge.exe 3852 msedge.exe -
Suspicious behavior: LoadsDriver 6 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 656 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe 4444 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4444 wrote to memory of 588 4444 msedge.exe 81 PID 4444 wrote to memory of 588 4444 msedge.exe 81 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 4232 4444 msedge.exe 83 PID 4444 wrote to memory of 512 4444 msedge.exe 84 PID 4444 wrote to memory of 512 4444 msedge.exe 84 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85 PID 4444 wrote to memory of 3416 4444 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.itsoeh.edu.mx/front/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9891546f8,0x7ff989154708,0x7ff9891547182⤵PID:588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:82⤵PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:3836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:82⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:12⤵PID:1800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:3876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:12⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:12⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:12⤵PID:4876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:3024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,14036929340407072388,317647119500684517,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3660 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3852
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2420
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
Filesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
Filesize
5KB
MD501719c1810d7d550a148d60b176561f4
SHA147c4e2d1b1f85593d7777f889123db06b69f3839
SHA256b5c29836c31077bb2af47f70273be42d2a5fa4bb8673661d9a62369399b3a504
SHA5122acf1b19e670c9b5a5649983935b64e5518e9aa0ac9eeeaff118ec908c7989c4d87d4fc1d8b24aaec3eada403b63e73e71a4291c6ffd8d650f7756d24f9d98d4
-
Filesize
6KB
MD5190aa5102bfca66346a765c6d2694a41
SHA1718deac55365b7af15100bda61f1cd6dc03ba5c5
SHA256035969a7a4e60ba779c29ce8c2073600e1555c596e6876662cb0b829b4ad261a
SHA512a509090954819369e4a39477140398452810551bcbd9feefc40b47ab2095ca7b8a6b705fdc16a7ecc40be253c1ef3ae8c55ec843f78d82f2f96ea8fa911d6ccc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD528f3cb4f997583db185a74fcc01d9a53
SHA1afc32323cb6f3e89b07f39fb40948ac00f946ab0
SHA25674c1ee39e7d1820319a213ebb1dad90d74fcd4c1951550c686944d413520212b
SHA512a691ad7ec6b2931f4c646feb6e17a3cd6cb82d5203302ee00d89d092b075ad4aefd15ccad75598565dcc3c3a3e3e93f2390ecea5dcb050219da22746e2bc0785
-
Filesize
10KB
MD581b68bbb3b6c2fdeefb41719c16c5a68
SHA1a7165d57f28bcaddd008328a5a495a779ba692f4
SHA2561ee6df8803e5bd90d054aac0f5de27d6154b1c78f05cc87962c0e9b548bf801a
SHA5126d6018f236498cd2c7e00cf91d76dcf23631505f2f1ea58d0be43009c318e4d0984bd0eb80c228e2ce601fac59814a35ec80c4975fd73900bf91cc941b2203ae